In other words, it tries to escape all characters that need to be escaped in a URI except those characters that are legitimately part of the URI: forward slashes, the question mark before the query, etc.

The current implementation escapes all characters except those in this set:

A-Za-z0-9\-_.,'!~*#?&()/?@:[]=

Note that the URI-escaped string is not HTML-escaped. In order make a URI safe to include in an HTML page, call escape_html() as well: